ENSURING COMPLIANCE TO PERSONAL DATA PROTECTION LAW
By: Windri Marieta and Nicholas Wianto
Law No. 27 of 2022 regarding Personal Data Protection (“PDP Law”) has become effective 2 (two) years after its enactment, on 17 October 2024. Since its effectiveness, all companies that conduct processing of Personal Data is obliged to comply with the provisions contained in the PDP Law. Non-compliance with PDP Law may expose the company to administrative sanctions or penalty, as well as claims or lawsuits from Personal Data Subject.
Pursuant to Article 1 paragraph 1 PDP Law, Personal Data means individuals data which are identified or can be identified separately or in combination with other information, either directly or indirectly through electronic or non-electronic system. Personal Data is data of a natural person, not data of corporation or company. PDP Law further classifies Personal Data into 2 (two) categories, namely general data and specific data. The following is the example of general data and specific data pursuant to Article 4 PDP Law:
|
General Data |
Specific Data |
|
a. full name; b. gender; c. citizenship; d. religion; e. marital status; and/or f. combined Personal Data to identify a person. |
a. health data and information; b. biometric data; c. genetic data; d. crime records; e. child data; f. personal financial data; and/or g. other data pursuant to the provisions of laws and regulations. |
PDP Law also introduces main parties in the framework of processing of Personal Data pursuant to PDP Law, which can be seen in the following table:
|
Personal Data Controller (“Controller”) |
Any person, public authority and international organization, acting individually or jointly in determining the purposes and exercising control of the processing of Personal Data.
|
|
Personal Data Processor (“Processor”) |
Any person, public authority and international organization, acting individually or jointly in the processing of Personal Data on behalf of the Controller.
|
|
Personal Data Subject |
An individual to whom Personal Data is embedded. |
Since Controller is the party that determines the purpose of processing of Personal Data, it is therefore directly responsible to the Personal Data Subject. On the other hand, Processor as the party appointed by the Controller, will be responsible to the Controller. In certain circumnstances, it is possible that the processing of Personal Data is carried out by 2 (two) or more Controllers and it also possible the Controller appointed 2 (two) or more Processors.
Further, PDP Law outlines the rights of Personal Data Subject that need to be fulfilled by the Controller, namely:
a. Right to obtain information related to the clarity of identity, the basis of legal interests, the purposes of the request and use of Personal Data, and accountability of the party which requests Personal Data;
b. Right to complete, update, and/or correct errors and/or inaccuracies in Personal Data;
c. Right to access and obtain a copy of Personal Data;
d. Right to end the processing, erasure and/or destruction of Personal Data;
e. Right to withdraw consent to the processing of Personal Data;
f. Right to object decision-making measures based solely on automated processing;
g. Right to delay or limit the processing of Personal Data in a proportionate manner;
h. Right to claim and receive compensation for violating of PDP Law; and
i. Right to obtain and/or use Personal Data in a form that is pursuant to structure and/or format commonly used or readable by electronic systems.
In carrying out processing of Personal Data, company that acts as Controller shall ensure that the rights of Personal Data Subject can be fulfilled.
In addition to the above, company also has the obligation to conduct Record of Processing Activities (“ROPA”), Data Protection Impact Analysis (“DPIA”) and Data Protection Officer (“DPO”).
ROPA is regulated under Article 31 and Article 52 PDP Law, which stipulate that each Controller and Processor is obliged to conduct ROPA for all processing of Personal Data activities. ROPA also serves as evidence for the company on the transparency of processing Personal Data. Unlike ROPA, the obligation to conduct DPIA is only carried out by Controller and the obligation only occurs if the processing of Personal Data has a high-risk potential to the Personal Data Subject pursuant to Article 34 PDP Law.
To ensure the company’s compliance with the principles of Personal Data Protection, Article 53 PDP Law stipulates that a company is obliged to appoint DPO in the case of:
a. processing of Personal Data for public services purposes;
b. core activities of Controller have a nature, scope, and/or purpose that requires regular and systematic monitoring of Personal Data on a large scale; and
c. core activities of Controller consist of large scale processing of specific Personal Data and/or Personal Data relating to criminal offences.
DPO essentially serves to check and ensure the company’s compliance with PDP Law, hence, the appointment of DPO is necessary for the company to ensure compliance with PDP Law. Additionally, DPO itself can be appointed from the internal of the company or the company can hire external party to conduct DPO function.
PDP Law regulates sanctions that can be imposed on company that violates PDP Law. These sanctions are in the form of administrative sanctions and criminal sanctions. Administrative sanctions that can be imposed on company for violating PDP Law are regulated under Article 57 PDP Law, in the form of:
a. written warning;
b. temporary suspension of processing of Personal Data activities;
c. deletion or destruction of Personal Data; and/or
d. administrative fines.
Article 57 paragraph (3) PDP Law further elaborates on the administrative fines that can be imposed on company that violates PDP Law, which is a maximum of 2% (two per cent) of the company’s annual income or annual revenue.
In addition to administrative sanctions, Article 70 PDP Law regulates corporate criminal offences that can be imposed on the company’s organ, controllers of the company, commanders, beneficiary owner and/or the company itself for violating several provisions of PDP Law, namely illegal collection of Personal Data, illegal disclosure and use of Personal Data and falsification of Personal Data. Furthermore, company that violates the criminal provisions of PDP Law may also be subject to additional sanctions, ranging from confiscation of profits and/or assets obtained from criminal offences, suspension of the company, revocation of licences, until the dissolution of the company.
Given the complexity of exercising the rights of Personal Data Subject that are connected with the obligations of Controller and Processor and the severity of sanctions that can be imposed on company, it is important for the company to ensure that the processing of Personal Data activities is align with PDP Law. Compliance with PDP Law is also beneficial for company in maintaining business reputation as accountable and transparent company in processing of Personal Data, while also preventing company from being sued and/or prosecuted by Personal Data Subject.
Any requests for personal data compliance services can be submitted to our Partner in-charge:
Windri Marieta
marieta@marietamauren.id